Secure Cloud Storage with Client-Side Encryption Using a Trusted Execution Environment

With the evolution of computer systems, the amount of sensitive data to be stored as well as the number of threats on these data grow up, making the data confidentiality increasingly important to computer users. Currently, with devices always connected to the Internet, the use of cloud data storage services has become practical and common, allowing quick access to such data wherever the user is. Such practicality brings with it a concern, precisely the confidentiality of the data which is delivered to third parties for storage. In the home environment, disk encryption tools have gained special attention from users, being used on personal computers and also having native options in some smartphone operating systems. The present work uses the data sealing, feature provided by the Intel Software Guard Extensions (Intel SGX) technology, for file encryption. A virtual file system is created in which applications can store their data, keeping the security guarantees provided by the Intel SGX technology, before send the data to a storage provider. This way, even if the storage provider is compromised, the data are safe. To validate the proposal, the Cryptomator software, which is a free client-side encryption tool for cloud files, was integrated with an Intel SGX application (enclave) for data sealing. The results demonstrate that the solution is feasible, in terms of performance and security, and can be expanded and refined for practical use and integration with cloud synchronization services

Single-random phase encoding architecture using a focus tunable lens

We propose a new nonlinear optical architecture based on a focus tunable lens and an iterative phase retrieval algorithm. It constitutes a compact encryption system that uses a single-random phase key to simultaneously encrypt (decrypt) amplitude and phase data. Summarily, the information encoded in a transmittance object (phase and amplitude) is randomly modulated by a diffuser when a laser beam illuminates it; once the beam reaches a focus tunable lens, different subjective speckle distributions are registered at some image plane as the focal length is tuned to different values. This set of speckle patterns constitutes a delocalized ciphertext, which is used in an iterative phase retrieval algorithm to reconstruct a complex ciphertext. The original data are decrypted propagating this ciphertext through a virtual optical system. In this system, amplitude data are straightforwardly decrypted while phase data can only be restored if the random modulation produced in the encryption process is compensated. Thus, an encryption-decryption process and authentication protocol can simultaneously be performed. We validate the feasibility of our proposal with simulated and experimental results.Fil: Mosso Solano, Edward Fabian. Consejo Nacional de Investigaciones Científicas y Técnicas; Argentina. Pontificia Universidad Católica de Valparaíso; ChileFil: Bolognini, Nestor Alberto. Universidad Nacional de La Plata. Facultad de Ciencias Exactas; Argentina. Consejo Nacional de Investigaciones Científicas y Técnicas. Centro Científico Tecnológico Conicet - La Plata. Centro de Investigaciones Ópticas. Provincia de Buenos Aires. Gobernación. Comisión de Investigaciones Científicas. Centro de Investigaciones Ópticas. Universidad Nacional de La Plata. Centro de Investigaciones Ópticas; ArgentinaFil: Pérez, D.G.. Pontificia Universidad Católica de Valparaíso; Chil

Execution Integrity with In-Place Encryption

Instruction set randomization (ISR) was initially proposed with the main goal of countering code-injection attacks. However, ISR seems to have lost its appeal since code-injection attacks became less attractive because protection mechanisms such as data execution prevention (DEP) as well as code-reuse attacks became more prevalent. In this paper, we show that ISR can be extended to also protect against code-reuse attacks while at the same time offering security guarantees similar to those of software diversity, control-flow integrity, and information hiding. We present Scylla, a scheme that deploys a new technique for in-place code encryption to hide the code layout of a randomized binary, and restricts the control flow to a benign execution path. This allows us to i) implicitly restrict control-flow targets to basic block entries without requiring the extraction of a control-flow graph, ii) achieve execution integrity within legitimate basic blocks, and iii) hide the underlying code layout under malicious read access to the program. Our analysis demonstrates that Scylla is capable of preventing state-of-the-art attacks such as just-in-time return-oriented programming (JIT-ROP) and crash-resistant oriented programming (CROP). We extensively evaluate our prototype implementation of Scylla and show feasible performance overhead. We also provide details on how this overhead can be significantly reduced with dedicated hardware support